ࡱ> y i@bjbj i{{.6L ((R&>$bbbP$b{x#(###$L ;\|A0ĸƸƸƸƸƸƸ$e(*D6$$D$E((##44tOtOtOE(#(#ĸtODĸtOtO88̰# bRGpJ3H{fḬH̰DDtODDDDDKvDDD{DDDDDDDDDDDDD :  Information Security Plan Contents  TOC \o "1-3" \h \z \u  HYPERLINK \l "_Toc356477717" I. Application/System Identification  PAGEREF _Toc356477717 \h 3  HYPERLINK \l "_Toc356477718" 1. Information System Name/Title  PAGEREF _Toc356477718 \h 3  HYPERLINK \l "_Toc356477719" 2. Information Contact(s)  PAGEREF _Toc356477719 \h 3  HYPERLINK \l "_Toc356477720" 3. Information System Operational Status  PAGEREF _Toc356477720 \h 3  HYPERLINK \l "_Toc356477721" 4. Applicable Laws or Regulations Affecting the System  PAGEREF _Toc356477721 \h 3  HYPERLINK \l "_Toc356477722" II. Security Roles and Responsibilities  PAGEREF _Toc356477722 \h 3  HYPERLINK \l "_Toc356477723" III. Staff SDLC Security Task Orientation  PAGEREF _Toc356477723 \h 5  HYPERLINK \l "_Toc356477724" IV. System Criticality Level  PAGEREF _Toc356477724 \h 6  HYPERLINK \l "_Toc356477725" V. Information Classification  PAGEREF _Toc356477725 \h 6  HYPERLINK \l "_Toc356477726" VI. Security Profile Objectives  PAGEREF _Toc356477726 \h 6  HYPERLINK \l "_Toc356477727" VII. System Profile  PAGEREF _Toc356477727 \h 7  HYPERLINK \l "_Toc356477728" VIII. System Decomposition  PAGEREF _Toc356477728 \h 7  HYPERLINK \l "_Toc356477729" IX. Vulnerability and Threat Assessment  PAGEREF _Toc356477729 \h 7  HYPERLINK \l "_Toc356477730" X. Risk Assessment  PAGEREF _Toc356477730 \h 7  HYPERLINK \l "_Toc356477731" XI. Security Controls Selection and Documentation  PAGEREF _Toc356477731 \h 8  HYPERLINK \l "_Toc356477732" XII. Test Data Creation  PAGEREF _Toc356477732 \h 8  HYPERLINK \l "_Toc356477733" XIII. Security Control Testing  PAGEREF _Toc356477733 \h 8  HYPERLINK \l "_Toc356477734" XIV. Accreditation (Executive Level Sign-off)  PAGEREF _Toc356477734 \h 8  HYPERLINK \l "_Toc356477735" XV. Change Management and Control  PAGEREF _Toc356477735 \h 9  HYPERLINK \l "_Toc356477736" XVI. Security Compliance Measurement  PAGEREF _Toc356477736 \h 9  HYPERLINK \l "_Toc356477737" XVII. System Disposal  PAGEREF _Toc356477737 \h 9  HYPERLINK \l "_Toc356477738" Appendix A: Available Resources  PAGEREF _Toc356477738 \h 10  Application/System Identification Information System Name/Title Unique identifier and name given to the system Information Contact(s) Information owner & name of person(s) responsible for/knowledgeable about the application/system: Name: Title: Address: Email address: Phone number: Information System Operational Status Indicate the operational status of the system. If more than one status is selected, list which part of the system is covered under each status. Operational Under development Undergoing a major modification/redesign Applicable Laws or Regulations Affecting the System List all laws and/or regulations that establish specific requirements for confidentiality, integrity, or availability of data/information in the system. Typically, these must be defined by the information owners and/or counsel. Security Roles and Responsibilities List below the security roles defined within this application/systems SDLC, the expected security responsibilities and the name of the person(s) assigned to each role. Security Roles and AssignmentsSecurity RoleName and Contact InformationSecurity ResponsibilitiesAuthorizing Official (AO)Name: Title: Address: Email address: Phone number: Chief Information Officer (CIO)Name: Title: Address: Email address: Phone number:Configuration Management (CM) ManagerName: Title: Address: Email address: Phone number:Contracting officerName: Title: Address: Email address: Phone number:Contracting Officers Technical RepresentativeName: Title: Address: Email address: Phone number:Information System Security OfficerName: Title: Address: Email address: Phone number:Information Technology Investment Board (or equivalent)Name: Title: Address: Email address: Phone number:Legal Advisor / Contract AttorneyName: Title: Address: Email address: Phone number:Privacy OfficerName: Title: Address: Email address: Phone number:Program Manager / Official (Information Owner)Name: Title: Address: Email address: Phone number:QA / Test DirectorName: Title: Address: Email address: Phone number:Senior Agency Information Security Officer (SAISO)Name: Title: Address: Email address: Phone number:Software DeveloperName: Title: Address: Email address: Phone number:System ArchitectName: Title: Address: Email address: Phone number:System OwnerName: Title: Address: Email address: Phone number:Other ParticpantsName: Title: Address: Email address: Phone number:Note: The above security roles were taken from NIST 800-64. Roles that do not apply to this project can be removed. Additional roles can be added as needed. Staff SDLC Security Task Orientation Identify the person(s) responsible for assuring that orientation is provided to all parties responsible for performing security awareness activities as part of the application.systems SDLC process. Security RoleName and Contact InformationResponsible PersonName: Title: Address: Email address: Phone number:  Document how staff will be oriented. System Criticality Level In the table below, record the System Criticality Profile of all systems and applications that are within the scope of this project. The criticality profile is qualitative with the possible choices being Mission Critical (MC), Mission Important (MI) and Mission Supportive (MS). Table II-B-2: System Criticality Profile System / Application NameCriticality Level (MC/MI/MS)Description  Definitions: Mission Critical (MC) Automated information resources whose failure would preclude the Agency from accomplishing its core business operations. Mission Important (MI) Automated information resources whose failure would not preclude the Agency from accomplishing core business processes in the short term, but would cause failure in the mid to long term (3 days to 1 month). Mission Supportive (MS) Automated information resources whose failure would not preclude the Agency from accomplishing core business operations in the short to long term (more than 1 month), but would have an impact on the effectiveness or efficiency of day-to-day operations. Information Classification Information classification documents can be included within or as an attachment to the information security plan. Refer to  HYPERLINK \l "_Appendix_A:_Available" Appendix A: Available Resources for a template to complete the information classification activity. Additionally, a sample is provided. Security Profile Objectives During each life cycle phase of the system development life cycle, the importance and relevance of each security objective must be evaluated. Refer to  HYPERLINK \l "_Appendix_A:_Available" Appendix A: Available Resources for a template to complete the security profile objectives activity. Additionally, a sample is provided. System Profile Provide a high-level overview of the system that identifies the systems attributes such as the physical topology, the logical tiers, components, services, actors, technologies, external dependencies and access rights. Refer to  HYPERLINK \l "_Appendix_A:_Available" Appendix A: Available Resources for a template to complete the system profile activity. Additionally, a sample is provided. System Decomposition Decompose the system into finer components and document its mechanics (i.e. the inner workings). This includes documentation of trust boundaries, information entry and exit points, data flows and privileged code. Refer to  HYPERLINK \l "_Appendix_A:_Available" Appendix A: Available Resources for a template to complete the system decomposition activity. Additionally, a sample is provided. Vulnerability and Threat Assessment Vulnerability assessments must be iteratively performed within the SDLC process. Threat assessments must consider and document the threat sources, threat source motivations and attack methods that could potentially pose threats to the security of the system. Threat assessments and the underlying threat modeling deliverables that support the assessment must also be fully documented. Refer to  HYPERLINK \l "_Appendix_A:_Available" Appendix A: Available Resources for a template to complete the vulnerability and threat assessment activity. Additionally, a sample is provided. Risk Assessment Risk assessments must be iteratively performed within the SDLC process. These begin as an informal, high-level process early in the SDLC and become a formal, comprehensive process prior to placing a system or software into production. Refer to  HYPERLINK \l "_Appendix_A:_Available" Appendix A: Available Resources for a template to complete the risk assessment activity. Additionally, a sample is provided. Security Controls Selection and Documentation Documentation of controls must be sufficiently detailed to enable verification that all systems and applications adhere to all relevant security policies and to respond efficiently to new threats that may require modifications to existing controls. Refer to  HYPERLINK \l "_Appendix_A:_Available" Appendix A: Available Resources for a template to complete the security controls selection and documentation activity. Additionally, a sample is provided. Test Data Creation Document in narrative form how test data will be or has been created and used for testing this system. Documentation must include the following information: Describe the process used to develop test data for the application/system Indicate if production data has been used for testing purposes and if so, what actions have been taken to protect the confidentiality of the production information. Provide an overview of the test process for performing security and regression testing for this application/system. Security Control Testing Document in how security controls will be or have been tested for this system. In the initial SDLC phases, documentation must specify the anticipated processes and environments which will be used to test security controls. Once the controls are actually being tested, this documentation must be updated to include the following information: The environment in which the controls are tested The extent to which the test environment differs from the test environment The extent to which separation of duties is observed throughout the testing process Documentation must provide assurance that all security controls have been applied appropriately, implemented correctly and are functioning properly and actually countering the threats and vulnerabilities for which they are intended. Accreditation (Executive Level Sign-off) The sign off is typically completed by a decision letter which provides one of the following: Authorization to Operate Authorization to Operate in the Interim Denial of Authorization to Operate Refer to  HYPERLINK \l "_Appendix_A:_Available" Appendix A: Available Resources for examples of accreditation letters. Change Management and Control Document the change management process that is followed whenever a system or application is modified. Indicate how this process ensures that all SDLC security activities are considered and performed, if relevant, and what controls in the change management process are in place to ensure that all security controls and documentation that are impacted by the change are updated. Security Compliance Measurement Document the process used to periodically measure this application/systems security compliance with all federal, state and external compliance standards for which the SE is required to comply. Record all compliance assessments that have been performed including the results of each compliance assessment. System Disposal Document system disposal requirements and the process that was/will be used to meet these requirements. Include the process that was/will be used to archive and/or destroy information and sanitize media. Note: Be sure all federal and state retention requirements have been met prior to disposal. Appendix A: Available Resources The following types of resources are available for use to complete the Security Plan. These individual documents can be inserted into the Plan document diretly or attached as appendices. Template: Blank document that includes the minimum required elements. It can be branded to your organization. Sample: A completed or partially completed template using generic information. Example: A document previously developed by an SE which has been deemed acceptable for reporting puposes by the EISO. The table below provides links to the available resources by Security Activity. Information ClassificationTemplateInformation Asset Classification WorksheetSampleExampleSecurity Profile ObjectivesTemplateTemplate_SecurityProfileObjectivesSampleSample_SecurityProfileObjectivesSystem ProfileTemplateTemplate_SystemProfileSampleSample_SystemProfileSystem DecompositionTemplateTemplate_SystemDecompositionSampleSample_SystemDecompositionVulnerability and Threat AssessmentTemplateTemplate_ApplicationRiskAssessmentSampleSample_ApplicationRiskAssessmentRisk AssessmentRefer to above documents for Vulnerability and Threat Assessment activity.Security Controls Selection and DocumentationTemplateTemplate_RiskAcceptanceAndControlAssignmentSampleSample_RiskAcceptanceAndControlAssignmentAccreditationExampleExample_AccreditationDecisionLetter_AuthorizationExampleExample_AccreditationDecisionLetter_InterimExampleExample_AccreditationDecisionLetter_Denial     Version: <#.#>Information Security Plan Date:  Version: <0.01>NYS Information Security Plan TemplateDate:  Page  PAGE \* MERGEFORMAT 9 of  NUMPAGES \* MERGEFORMAT 10 This can't be completed until the Info Class Plicy/Standartd/Procedure review is completed. Use OCFS? Discussed adding the Ontrol Assignment to the Risk Assessment spreadsheet. This has not been done to date. These will be linkable ()*+,56MNOPlmnoqrλ{papOapa{#j}hS)hUmHnHujhS)hUmHnHuhS)hmHnHu%hIhS)h5CJ\aJmHnHu*jh0hS)h0JUmHnHuhS)hmHnHuh0hS)h0JmHnHu$jh0hS)h0JUmHnHujh6WUh6Wh9h95\aJ h|h|CJ$aJ$h6Wh9CJ$^JaJ$)*+,5 t X . O  l 5` ! &^gd$ $a$gd9$a$gd|$a$gd9         6 7 8 9 ; < R S T n o p q r s t u v 񯠯Ⱥo񯠯]Ⱥ#jqhS)hUmHnHu*jh0hS)h0JUmHnHuhS)hmHnHu#jwhS)hUmHnHujhS)hUmHnHuhS)hmHnHuhIhS)haJmHnHu$jh0hS)h0JUmHnHu*jh0hS)h0JUmHnHuh0hS)h0JmHnHu$   6 7 8 R S T U V W X Y Z v 񯠯Ⱥo񯠯]Ⱥ#jehS)hUmHnHu*jh0hS)h0JUmHnHuhS)hmHnHu#jkhS)hUmHnHujhS)hUmHnHuhS)hmHnHuhIhS)haJmHnHu$jh0hS)h0JUmHnHu*jh0hS)h0JUmHnHuh0hS)h0JmHnHu$v w x y | }  ( ) * + , - . / 񪛪ȵj񪛪Xȵ#jYhS)hUmHnHu*jh0hS)h0JUmHnHuhS)hmHnHu#j_hS)hUmHnHujhS)hUmHnHuhS)hmHnHu%hIhS)h5CJ\aJmHnHu$jh0hS)h0JUmHnHu*jh0hS)h0JUmHnHuh0hS)h0JmHnHu"/ 0 L M N O R S k l m ҿ񡒡j񡒡X#jMhS)hUmHnHu*jh0hS)h0JUmHnHu#jShS)hUmHnHujhS)hUmHnHuhS)hmHnHu%hIhS)h5CJ\aJmHnHu$jh0hS)h0JUmHnHu*jh0hS)h0JUmHnHuhS)hmHnHuh0hS)h0JmHnHu"    - . / I J K L M N O P Q m n o p t u ˬˡjˡX#jA hS)hUmHnHu*j h0hS)h0JUmHnHu#jG hS)hUmHnHujhS)hUmHnHuhS)hmHnHu*jh0hS)h0JUmHnHuhS)hmHnHuh0hS)h0JmHnHu$jh0hS)h0JUmHnHu%hIhS)h5CJ\aJmHnHu"     ! " # & ' J K L f g ݼݼʼݼjݼʼX#j5 hS)hUmHnHu*j h0hS)h0JUmHnHu#j; hS)hUmHnHuhS)hmHnHu*j h0hS)h0JUmHnHuhS)hmHnHuh0hS)h0JmHnHu%hIhS)h5CJ\aJmHnHu$jh0hS)h0JUmHnHujhS)hUmHnHu"g h i j k l m n /ҿұұҿұjұ*j h0hS)h0JUmHnHu#j/ hS)hUmHnHu*j h0hS)h0JUmHnHuhS)hmHnHuh0hS)h0JmHnHu%hIhS)h5CJ\aJmHnHu$jh0hS)h0JUmHnHuhS)hmHnHujhS)hUmHnHu#/01234567STUVZ[mnonX*jh0hS)h0JUmHnHu#j#hS)hUmHnHu*jh0hS)h0JUmHnHuhS)hmHnHuh0hS)h0JmHnHu%hIhS)h5CJ\aJmHnHu$jh0hS)h0JUmHnHuhS)hmHnHujhS)hUmHnHu#j)hS)hUmHnHu">?@Z[\]^_`ab~nX*jh0hS)h0JUmHnHu#jhS)hUmHnHu*jh0hS)h0JUmHnHuhS)hmHnHuh0hS)h0JmHnHu%hIhS)h5CJ\aJmHnHu$jh0hS)h0JUmHnHu#jhS)hUmHnHuhS)hmHnHujhS)hUmHnHu"   %&'()*+,-IJKLײnײX*jh0hS)h0JUmHnHu#j hS)hUmHnHu*jh0hS)h0JUmHnHuhS)hmHnHu%hIhS)h5CJ\aJmHnHu$jh0hS)h0JUmHnHu#jhS)hUmHnHujhS)hUmHnHuhS)hmHnHuh0hS)h0JmHnHu"`+ *YZq  0 & Fgd$h^hgd$ & F ^gd$^gd$gd62 & F gdW?A & Fgdw hh^h`gdw & FgdVLQRabc}~Ӳğޟnğ]Yh6W jh6W5U\mHnHu#jhS)hUmHnHu*jh0hS)h0JUmHnHuhS)hmHnHu$jh0hS)h0JUmHnHu#jhS)hUmHnHujhS)hUmHnHuhS)hmHnHu%hIhS)h5CJ\aJmHnHuh0hS)h0JmHnHu  )*XYZfpq  /0 ="#5FGܼܸ{sog_h`DnH tH hm{nH tH hG{hG{nH tH  hhXGahXGanH tH hhXGanH tH  hXGa5h>hXGa5hXGah: hW?Ah1t hW?Ah@Th@T h625h62h62nH tH h1t h1th1t h1t5h1th1t5hG hwhzhhzhhV5;CJ\aJ%0 ="#G $$Ifgd$h^hgdm{h^hgd!! hh^h`gd1tgd1t & Fgd$gd$ & F^gd$^gd$ =VWXqrXY˺tc\UD=D=D=D= h6Wh.V h6Wh.VCJPJaJnH tH  h6Whm{ h6Wh`D h$h`DCJPJaJnH tH  h6Wh>CJPJaJnH tH  h6Whm{CJPJaJnH tH #h6Wh`D5CJPJaJnH tH #h6Whm{5CJPJaJnH tH  h6WhCJPJaJnH tH &h6Wh5CJPJ\aJnH tH  h.&hm{CJPJaJnH tH hm{nH tH h' nH tH  =W}n[P $*$Ifgd$$*$If^`gd$$*$If`gd$kd|$$Ifl44h!X  t 0X 44 laf4gGz'p yt6WWXrxF;000 $*$Ifgd$ $*$Ifgd`Dkd*$$Ifl44Fh!T  t0X     44 laf4pyt$VK@@ $*$Ifgd.V $*$Ifgd`Dkd$$Ifl4Fh!T t0X     44 laf4pyt$ $*$Ifgd$%B7 $*$Ifgd`Dkd$$Ifl4Fh!T t0X     44 laf4pyt$ $*$Ifgd$ $Ifgd.V $*$Ifgd.V%+2;KYZ[Bkd$$Ifl4Fh!T t0X     44 laf4pyt$ $*$Ifgd$ $Ifgd.V $*$Ifgd.V[ou| $*$Ifgd$ $Ifgd.V $*$Ifgd.V $*$Ifgd`DaVKKKKB $Ifgd.V $*$Ifgd.V $*$Ifgd`Dkd5$$Ifl4Fh!T t0X     44 laf4pyt$  .4;DTVK@@@@ $*$Ifgd.V $*$Ifgd`Dkd$$Ifl4Fh!T t0X     44 laf4pyt$ $*$Ifgd$abd'(:mnQ$WXl?ABg-./[׿￴}v h6Wh h6WhCJPJaJnH tH #h6Wh5CJPJaJnH tH hzhnH tH hnH tH hh$hnH tH  h6Wh","CJPJaJnH tH  h6Wh> h6Wh>CJPJaJnH tH  h6Wh.V h6Wh.VCJPJaJnH tH .TbcdMB77 $*$Ifgd.V $*$Ifgd`Dkd$$Ifl4Fh!T t0X     44 laf4pyt$ $*$Ifgd$ $Ifgd.VB7 $*$Ifgd`DkdT$$Ifl4Fh!T t0X     44 laf4pyt$ $*$Ifgd$ $Ifgd.V $*$Ifgd.V ()*Bkd $$Ifl4Fh!T t0X     44 laf4pyt$ $*$Ifgd$ $Ifgd.V $*$Ifgd.V*:@GP`no $*$Ifgd$ $Ifgd.V $*$Ifgd.V $*$Ifgd`DopaVKKKKB $Ifgd.V $*$Ifgd.V $*$Ifgd`Dkd$$Ifl4Fh!T t0X     44 laf4pyt$VK@@@@ $*$Ifgd.V $*$Ifgd`Dkds$$Ifl4Fh!T t0X     44 laf4pyt$ $*$Ifgd$QW^MB77 $*$Ifgd.V $*$Ifgd`Dkd($$Ifl4Fh!T t0X     44 laf4pyt$ $*$Ifgd$ $Ifgd.V^gwB7 $*$Ifgd`Dkd$$Ifl4Fh!T t0X     44 laf4pyt$ $*$Ifgd$ $Ifgd.V $*$Ifgd.VBkd$$Ifl4Fh!T t0X     44 laf4pyt$ $*$Ifgd$ $Ifgd.V $*$Ifgd.V $*$Ifgd$ $Ifgd.V $*$Ifgd.V $*$Ifgd`D$*1:JXaVKKKKB $Ifgd.V $*$Ifgd.V $*$Ifgd`DkdG $$Ifl4Fh!T t0X     44 laf4pyt$XYZlryVK@@@@ $*$Ifgd.V $*$Ifgd`Dkd $$Ifl4Fh!T t0X     44 laf4pyt$ $*$Ifgd$@M>> 8$*$Ifgd$kd!$$Ifl4Fh!T t0X     44 laf4pyt$ $*$Ifgd$ $Ifgd.V@ABg./=ZpgXE$*$If^`gd%$*$If`gd%h^hgd hh^h`gd$gd$wkdf"$$Ifl4h!X t0X 44 laf4g4z'p yt","Z[nt{dYYYYYY $*$Ifgd%kd"$$Ifl440h!T  t0X 44 laf4pyt$tkbkPGh^hgd hh^h`gd$h^hgd"h^hgdkd#$$Ifl40h!T t0X 44 laf4pyt$(luvȹ׮}n_SF9h$hCB*CJphh$h","B*CJphhw>*B*CJphh$h",">*B*CJphh$h","5B*CJphhB*CJph h6WhCJPJaJnH tH #h6Wh5CJPJaJnH tH hhW?AhfdmnH tH hW?AhnH tH hXGa h$hXGah"nH tH hfdmnH tH hnH tH hzhnH tH  h6WhCJPJaJnH tH (B_l$H$*$If^H`a$gd$$$*$If`a$gd$$*$If`gd$ $h`hgdlmnopJ??? $*$Ifgdkdn$$$IflFhN ! 2 @  t0X     44 lapyt$pqrstXI>> $*$Ifgdh$*$If^hgdkdQ%$$IflyFhN ! 2 @ t0X     44 laguspyttuv!!XSJJJJAh^hgd@Th^hgd$gdkd&$$IflyFhN ! 2 @ t0X     44 laguspyt%*-   !!!.!/!1!:!T!n!!!!!!!!!!!!!!`"a"|"}" #ʽʽʵvnjc\ h' Xh> hzhh>h>hnH tH h<h<0Jj&h<Ujh<Uh<hCh/hPh[hn hzhh>h>hnH tH h$hCB*CJphhwh","B*CJphhw>*B*CJphh$h",">*B*CJphh$h","B*CJph$!/!!!`"a"}" #####$$j%k%gd$h^hgd +*h^hgdw hh^h`gdTogdToh^hgd$ hh^h`gd>gdn h^hgdn  hh^h`gd> # ###@#A#B#a#b######$$$"$$$$$$$$ % %i%j%k%%%%%%%%%%%%¾|xqxmfxfxfxf hhh=8 hzhhhhnH tH h-9%h +*nH tH hXXh +*0Jj'h +*Ujh +*Uh +*hoh&n hTohToh*hTohTonH tH h$hZenH tH hXXhXX0Jjn'hXXUjhXXUhXX h' Xh`x(k%%V&W&''3'(({)|))x*y*++,+-+.+\+U,h^hgdAgd,3)h^hgd$ hh^h`gd,3)h^hgd,3)h^hgdJ\h^hgdw hh^h`gd%&6&U&V&`&a&&&&&& '''2'3'(((((() )z){)|)))v*w*x*********+++,+-+.+>+[+\+T,U,_,ŽŽŽhJ\hhAnH tH j)hAU h,3)h,3)j)hAU hzhh,3)h,3)h,3)nH tH honH tH hXXhA0Jj(hAUjhAUhAhoh=8 hhh2U,V,&-'-;--"..*>͸}}o^^^ h~N0hJ\CJ^JaJnH tH h$hJ\5^JnH tH  hJ\hACJ^JaJnH tH hJ\CJ^JaJnH tH h6WhJ\nH tH  hJ\hJ\CJ^JaJnH tH (j *h$h30JPJUnH tH h$hJ\5#h$hA6CJ^JaJnH tH hACJ^JaJnH tH h6WhAnH tH <<=qh $Ifgdytkdq6$$Ifl0," t0644 lalg8'pytyt===F=|| $Ifgdytzkd7$$Ifl,","  t 0644 lalp yt$F=G=N=x=qhh $Ifgdytkd7$$Ifl0," t0644 lalg8'pytytx=y==qh $Ifgdytkdk8$$Ifl0," t0644 lalg8'pytyt====|| $Ifgdytzkd9$$Ifl,","  t 0644 lalp yt$====qhh $Ifgdytkd9$$Ifl0," t0644 lalg8'pytyt==>,>qhh $Ifgdytkde:$$Ifl0," t0644 lalg8'pytyt*>+>,>->.>/>1>2>6>7>9>:>>>@>Y>Z>>>>>>>>??"?#?%?6?7?N?O?P?Q?U?V?q?r?t?xpxchS)h0J^JmHnHuhS0J^JjhS0JU^JhS)h^JmHnHu hS^JjhSU^Jh hS^J h6WhSh6WhS^JhShIjhIUh nH tH h6WhJ\nH tH  hJ\hJ\CJ^JaJnH tH %jh6WhJ\0JPJUnH tH &,>->.>0>1>3>4>5>6>8>9>;><>qljjjjjjjjjjgd kd;$$Ifl0," t0644 lalg8'pytyt <>=>>>?>@>J>Y>Z>u>>bYY $Ifgd|kd;$$Ifl0! t0644 lalpyt $Ifgd) $Ifgd8U >>>xo $Ifgd8Ukd`<$$Ifl0! t0644 lalpyt>>>>>>>>>>>yp $Ifgd) $Ifgd8U$a$gdx $nkd<$$Ifl!! t0644 lalp yt >>>?xoo $Ifgd8Ukd=$$Ifl0,"8` t0644 lapyt??"?xo $Ifgd8Ukd >$$Ifl0,"8` t0644 lapyt"?#?$?%?v?w?x?y?z???O@g@h@wussss$a$gdx $ $dNgd nkd>$$Ifl,"" t0644 lap yt t?u?v?y?z?{?????O@P@g@h@i@h nH tH jhS0JUhIhSh hS^JmHnHujhS0JU^Jh@i@gd 9&P1h:p8U/ =!"#$%0 ,1h/ =!"#$% }DyK _Toc356477717}DyK _Toc356477717}DyK _Toc356477718}DyK _Toc356477718}DyK _Toc356477719}DyK _Toc356477719}DyK _Toc356477720}DyK _Toc356477720}DyK _Toc356477721}DyK _Toc356477721}DyK _Toc356477722}DyK _Toc356477722}DyK _Toc356477723}DyK _Toc356477723}DyK _Toc356477724}DyK _Toc356477724}DyK _Toc356477725}DyK _Toc356477725}DyK _Toc356477726}DyK _Toc356477726}DyK _Toc356477727}DyK _Toc356477727}DyK _Toc356477728}DyK _Toc356477728}DyK _Toc356477729}DyK _Toc356477729}DyK _Toc356477730}DyK _Toc356477730}DyK _Toc356477731}DyK _Toc356477731}DyK _Toc356477732}DyK _Toc356477732}DyK _Toc356477733}DyK _Toc356477733}DyK _Toc356477734}DyK _Toc356477734}DyK _Toc356477735}DyK _Toc356477735}DyK _Toc356477736}DyK _Toc356477736}DyK _Toc356477737}DyK _Toc356477737}DyK _Toc356477738}DyK _Toc356477738$$If!vh#vX :V l44  t 0X 5X af4gGz'p yt6W$$If!vh#vT#v#v :V l44  t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vT#v#v :V l4 t0X 5T55 af4pyt$$$If!vh#vX :V l4 t0X 5X af4g4z'p yt","$$If!vh#vT#v:V l44  t0X 5T5af4pyt$$$If!vh#vT#v:V l4 t0X 5T5af4pyt$$$If!vh#v #v2 #v@ :V l  t0X 5 52 5@ apyt$$$If!vh#v #v2 #v@ :V ly t0X 5 52 5@ aguspyt$$If!vh#v #v2 #v@ :V ly t0X 5 52 5@ aguspytDyK _Appendix_A:_AvailableDyK _Appendix_A:_AvailableDyK _Appendix_A:_AvailableDyK _Appendix_A:_AvailableDyK _Appendix_A:_AvailableDyK _Appendix_A:_AvailableDyK _Appendix_A:_AvailableDyK _Appendix_A:_Available$$Ifl!vh#v,":V l  t 065,"alp yt$$$Ifl!vh#v#v:V l t0655alpyt$$$Ifl!vh#v#v:V l t0655alpyt$$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v,":V l  t 065,"alp yt$$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v,":V l  t 065,"alp yt$$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v,":V l  t 065,"alp yt$$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v,":V l  t 065,"alp yt$$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v,":V l  t 065,"alp yt$$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v,":V l  t 065,"alp yt$$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v,":V l  t 065,"alp yt$$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v#v:V l t0655alg8'pytyt$$Ifl!vh#v#v :V l t0655 alpyt$$Ifl!vh#v#v :V l t0655 alpyt$$Ifl!vh#v!:V l t065!alp yt$$If!vh#v8#v` :V l t06585` pyt$$If!vh#v8#v` :V l t06585` pyt$$If!vh#v":V l t065"p ytb( 666666666~~~vvvvvv6666666666666666666666666666666666666666666666666hH666666666666666666666666666666666666666666666666666666666666666662 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XV~PJ_HmH nH sH tH L`L  Normal$CJOJQJ_HaJmH nHsH tHf@f   Heading 1$ & F@&%5>*KH OJPJQJ\^JaJ tH F@F  Heading 2@&5OJPJQJtH DA`D Default Paragraph FontRi@R  Table Normal4 l4a (k (No List jj D] Table Grid7:V04@4 JkHeader  !4 @4 JkFooter  !>B@"> 9 Body Text 8^8PJtH .)@1. 9 Page Number6U`A6 90 Hyperlink >*B*ph>@> 6WpTOC 2 ^CJPJaJtH L@L 6WpTOC 1 ! xx5PJ\aJtH <P@r< 9 Body Text 2 dxJOJ VSAIC BODY TEXT $a$PJtH H@H o0 Balloon TextCJOJQJ^JaJNoN o0Balloon Text CharCJOJQJ^JaJH"@H .&Caption xx5CJPJ\aJtH LoL  Heading 2 Char5CJOJPJQJaJB'`B 8|Comment ReferenceCJaJD@D 8|0 Comment TextCJPJaJtH BoB 8|0Comment Text CharPJtH ZoZ Heading 1 Char%5>*CJKH OJPJQJ\^JaJ ZoZ Default !7$8$H$%B*CJPJ_HaJmH phsH tH O 0(t2,table,table bullet 2,table bt1ullet 2"B*OJPJQJ^JphLj@L $HO$0Comment Subject#5PJ\nHtHRoAR #HO$0Comment Subject Char5PJ\nHtHH`RHfdm0Revision%CJ_HaJmH nHsH tH~ A~ 6Wp TOC Heading&$ & Fd@& 0>*B*CJKHOJPJQJ^JaJnHph6_tHP@P 6WpTOC 3'dd^CJPJ^JaJnHtHPK![Content_Types].xmlN0EH-J@%ǎǢ|ș$زULTB l,3;rØJB+$G]7O٭V$ !)O^rC$y@/yH*񄴽)޵߻UDb`}"qۋJחX^)I`nEp)liV[]1M<OP6r=zgbIguSebORD۫qu gZo~ٺlAplxpT0+[}`jzAV2Fi@qv֬5\|ʜ̭NleXdsjcs7f W+Ն7`g ȘJj|h(KD- dXiJ؇(x$( :;˹! I_TS 1?E??ZBΪmU/?~xY'y5g&΋/ɋ>GMGeD3Vq%'#q$8K)fw9:ĵ x}rxwr:\TZaG*y8IjbRc|XŻǿI u3KGnD1NIBs RuK>V.EL+M2#'fi ~V vl{u8zH *:(W☕ ~JTe\O*tHGHY}KNP*ݾ˦TѼ9/#A7qZ$*c?qUnwN%Oi4 =3N)cbJ uV4(Tn 7_?m-ٛ{UBwznʜ"Z xJZp; {/<P;,)''KQk5qpN8KGbe Sd̛\17 pa>SR! 3K4'+rzQ TTIIvt]Kc⫲K#v5+|D~O@%\w_nN[L9KqgVhn R!y+Un;*&/HrT >>\ t=.Tġ S; Z~!P9giCڧ!# B,;X=ۻ,I2UWV9$lk=Aj;{AP79|s*Y;̠[MCۿhf]o{oY=1kyVV5E8Vk+֜\80X4D)!!?*|fv u"xA@T_q64)kڬuV7 t '%;i9s9x,ڎ-45xd8?ǘd/Y|t &LILJ`& -Gt/PK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 0_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!0C)theme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK] mi01bab Scott Rogler225*6i8m%7SRXt7m=&7m}Q\SQQ]h,i8; {{~KKKN v / g /L #%_,1k5:;;<*>t?i@!#$%&'()*+,./1:KPRTVWY\ahow`0W%[T*o^X@Zlpt!k%U,g26z::::;0;Y;i;;;;;<,<Y<<<<=F=x====,><>>>>?"?h@i@"-023456789;<=>?@ABCDEFGHIJLMNOQSUXZ[]^_`bcdefgijklmnpqrstuvxyz{|}~5MNn8Soqrt7SUVXx )+,.Nl .JLMOo"Kgijl0235Un?[]^` &()+Kb~Aa ` !"""_$$$]+++i8 X%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%t̕XXXXXXXX "'CFN!@ @H 0(  0(  B S  ? _Toc353783903 _Toc353783962 _Toc353784029 _Toc353784087 _Toc353784204 _Toc353784309 _Toc354385476 _Toc353783904 _Toc353783963 _Toc353784030 _Toc353784088 _Toc353784205 _Toc353784310 _Toc354385477 _Toc353783905 _Toc353783964 _Toc353784031 _Toc353784089 _Toc353784206 _Toc353784311 _Toc354385478 _Toc353783906 _Toc353783965 _Toc353784032 _Toc353784090 _Toc353784207 _Toc353784312 _Toc354385479 _Toc353783909 _Toc353783968 _Toc353784035 _Toc353784093 _Toc353784210 _Toc353784315 _Toc354385482 _Toc353783910 _Toc353783969 _Toc353784036 _Toc353784094 _Toc353784211 _Toc353784316 _Toc354385483 _Toc353783914 _Toc353783973 _Toc353784040 _Toc353784098 _Toc353784215 _Toc353784320 _Toc354385487 _Toc353783915 _Toc353783974 _Toc353784041 _Toc353784099 _Toc353784216 _Toc353784321 _Toc354385488 _Toc353783916 _Toc353783975 _Toc353784042 _Toc353784100 _Toc353784217 _Toc353784322 _Toc354385489 _Toc353783917 _Toc353783976 _Toc353784043 _Toc353784101 _Toc353784218 _Toc353784323 _Toc354385490 _Toc353783920 _Toc353783979 _Toc353784046 _Toc353784104 _Toc353784221 _Toc353784326 _Toc354385493 _Toc353783921 _Toc353783980 _Toc353784047 _Toc353784105 _Toc353784222 _Toc353784327 _Toc354385494 _Toc353783922 _Toc353783981 _Toc353784048 _Toc353784106 _Toc353784223 _Toc353784328 _Toc354385495 _Toc353783923 _Toc353783982 _Toc353784049 _Toc353784107 _Toc353784224 _Toc353784329 _Toc354385496 _Toc353783924 _Toc353783983 _Toc353784050 _Toc353784108 _Toc353784225 _Toc353784330 _Toc354385497 _Toc353783925 _Toc353783984 _Toc353784051 _Toc353784109 _Toc353784226 _Toc353784331 _Toc354385498 _Toc353783926 _Toc353783985 _Toc353784052 _Toc353784110 _Toc353784227 _Toc353784332 _Toc354385499 _Toc353783927 _Toc353783986 _Toc353784053 _Toc353784111 _Toc353784228 _Toc353784333 _Toc354385500 _Toc353783928 _Toc353783987 _Toc353784054 _Toc353784112 _Toc353784229 _Toc353784334 _Toc354385501 _Toc353783929 _Toc353783988 _Toc353784055 _Toc353784113 _Toc353784230 _Toc353784335 _Toc354385502 _Toc353783930 _Toc353783989 _Toc353784056 _Toc353784114 _Toc353784231 _Toc353784336 _Toc354385503 _Toc353783931 _Toc353783990 _Toc353784057 _Toc353784115 _Toc353784232 _Toc353784337 _Toc354385504 _Toc353783932 _Toc353783991 _Toc353784058 _Toc353784116 _Toc353784233 _Toc353784338 _Toc354385505 _Toc356477717 _Toc353783934 _Toc353783993 _Toc353784060 _Toc353784118 _Toc353784235 _Toc353784340 _Toc354385507 _Toc356477718 _Toc356477719 _Toc356477720 _Toc356477721 _Toc356477722 _Toc356477723 _Toc353783942 _Toc353784001 _Toc353784068 _Toc353784127 _Toc353783943 _Toc353784002 _Toc353784069 _Toc353784128 _Toc353783944 _Toc353784003 _Toc353784070 _Toc353784129 _Toc356477724 _Toc356477725 _Toc356477726 _Toc356477727 _Toc356477728 _Toc356477729 _Toc356477730 _Toc356477731 _Toc356477732 _Toc356477733 _Toc356477734 _Toc356477735 _Toc356477736 _Toc356477737_Appendix_A:_Available _Toc356477738 Z # Bak|!.#'%='g*+k-.//j8  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ ) p / < F f.|2![#9%U'*+-./0j8 %7Xt7=&7}224606225*6065mn78wxMN  no!"TUJK`k 0011 3/383X3s3333333464X4a445E5N5w555556*6-6.60616364656668696;6<6=6>6666667Q7U7u7y7z7777777g8j8mn78wxMN  no!"TUJK= V''//.60616364656668696;6<6=6>6U6W6&7.7y7z7j8333335jj2233{!{!!!!!-#-#[#[#\#\#&%&%;%;%<'<'U'U'V'V'((v*v*********++++--^2^2_2_22244E5E5-6.60616364656668696;6<6=6>6@6S6S6T6W6Z6Z6t6t6u6~6~6666666666666#7%767Q7U7u7y7z7g8j85mn78wxMN  no!"TUJKjj2233{!{!!!!!-#-#[#[#\#\#&%&%;%;%<'<'U'U'V'V'((v*v*********++++--^2^2_2_22244E5E5-6.64656<6=6S6S6T6W6Z6Z6t6t6~6~6666666666666666666%767Q7U7u7y7j8"h9.3H+^ +e^gY"va2 `L. ΃9 {Sg WnF e!>.<Ne;۪cD`*7X*. f/ ;Qxi1T/j7X*j?ijkQj`L. 9 F ""#BoO                                                                                                                                                       &pVEH                                                                                                                                                       DylABCRSUC@EwIB4H~6o { " o 'E Z m   ^ n cRb> !>t,aaix.&} VO S~:U0|&P5G{OO R2   " ="","["T#x $$HO$}|$%x%0!&%&U&(,3)Y)** +*(4*;=+E+@o,`,!--C-F-. /</E/wp/ 080~N0 1:1262R23G3.H3e3 404C5B6;7=8WW8oo9|9!:I:]:;J;*<<y <'<cr<k4>"?@I@W?AHFABC:DvD-VFhFbtFG7GgIyxI(Jk`J`J*K.5KgK~K& L#Ly9L-M`IMSMrMNNJ*N!O.%,a6/`Jkr#3Tf9#$$BeoSZ:o~>+y|2^Elh}c?evKCt]] P9 * c6K!o0:!6^ :C3~3:qHzV0KId]1<K' =& ?<@zho2M[y"N7p#UEG. 9{:)B%*xlE1ssw@V vmy~)*2FN[4Q:n a4=A`DVh7 +dT{.606@5555,"i8@Unknownmi01babelmore G*Ax Times New Roman5Symbol3. *Cx Arial7.@ Calibri;(SimSun[SO5. .[`)Tahoma7@CambriaK=   jMS Gothic-3 0000G5  jMS Mincho-3 fg?= *Cx Courier New;WingdingsA$BCambria Math"1 hQc . b. bq466 2qHP ? D]2! xxN7K9 'Main Information Security Plan Templateelmoremi01bab"                           ! Oh+'0   @ L X dpx(Main Information Security Plan Templateelmore 499A5F86mi01bab6Microsoft Office Word@H'@@`zuM@bR .՜.+,D՜.+,|8 hp  ,New York State Workers' Compensation Boardb6 (Main Information Security Plan Template Title| (T\h  _PID_HLINKS ContentTypeA z_Appendix_A:_Availablez_Appendix_A:_Availablez_Appendix_A:_Availablez_Appendix_A:_Availablez_Appendix_A:_Availablez_Appendix_A:_Availablez_Appendix_A:_Availablez_Appendix_A:_Available5_Toc3564777385z_Toc3564777375t_Toc3564777365n_Toc3564777355h_Toc3564777345b_Toc3564777335\_Toc3564777325V_Toc3564777315P_Toc3564777305J_Toc3564777295D_Toc3564777285>_Toc35647772758_Toc35647772652_Toc3564777255,_Toc3564777245&_Toc3564777235 _Toc3564777225_Toc3564777215_Toc3564777205_Toc3564777195_Toc3564777185_Toc356477717 Document  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~     !"#$%&'()*,-./01234567Root Entry F;@Data  DocumentLibraryFormDocumentLibraryFormDocumentLibraryForm n="Create a new document." ma:contentTyp eb20c0e3442673af7ee10786458764" xmlns:xsd=" data/core-properties" xmlns:xsd="http://www com/office/internal/2005/internalDocumentation"> This value indicates the number of saves or revisions. The application is responsible for updating this value after each revision.   F Microsoft Word 97-2003 Document MSWordDocWord.Document.89q This value indicates the number of saves or revisions. The application is responsible for updating this value after each revision.